|
BugTraq
Solaris priocntl exploit Nov 27 2002 03:00AM ÝþÒãÁ? (kk_qq 263 net) (3 replies) Re: Solaris priocntl exploit - Sol8 patches available Dec 27 2002 01:15PM Scott Howard (scott doc net au) |
|
 Privacy Statement |
>The module's name is a relative path, priocntl will search the module file
>in only /kernel/sched and /usr/kernel/sched/ dirs.
>but unfortunately, priocntl() never check '../' in pc_clname arg
>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
The "pc_clname[]" argument is limited in size; to prevent this particular
bug from being exploited you could:
for dir in /kernel /usr/kernel
do
cd $dir
mkdir -p a/b/c/d/e/f/g/h
mv sched a/b/c/d/e/f/g/h
ln -s a/b/c/d/e/f/g/h/sched .
done
Casper
[ reply ]